Digital Forensic Process: Acquisition, Analysis and Reporting

A digital forensic investigation or digital forensic process in short, commonly consists of 3 stages: acquisition or imaging of exhibits, analysis, and reporting. Ideally acquisition involves capturing an image of the computer’s volatile memory (RAM) and creating an exact sector level duplicate (or “forensic duplicate”) of the media, often using a write blocking device to prevent modification of the original. However, the growth in size of storage media and developments such as cloud computing have led to more use of ‘live’ acquisitions whereby a ‘logical’ copy of the data is acquired rather than a complete image of the physical storage device. Both acquired image (or logical copy) and original media/data are hashed (using an algorithm such as SHA-1 or MD5) and the values compared to verify the copy is accurate.

An alternative (and patented) approach (that has been dubbed ‘hybrid forensics’ or ‘distributed forensics’) combines digital forensics and ediscovery processes. This approach has been embodied in a commercial tool called ISEEK that was presented together with test results at a conference in 2017.

During the analysis phase an investigator recovers evidence material using a number of different methodologies and tools. In 2002, an article in the International Journal of Digital Evidence referred to this step as “an in-depth systematic search of evidence related to the suspected crime.” In 2006, forensics researcher Brian Carrier described an “intuitive procedure” in which obvious evidence is first identified and then “exhaustive searches are conducted to start filling in the holes.”

The actual process of analysis can vary between investigations, but common methodologies include conducting keyword searches across the digital media (within files as well as unallocated and slack space), recovering deleted files and extraction of registry information (for example to list user accounts, or attached USB devices).

The evidence recovered is analysed to reconstruct events or actions and to reach conclusions, work that can often be performed by less specialised staff. When an investigation is complete the data is presented, usually in the form of a written report, in lay persons’ terms.

Feel free to contact E-SPIN for various digital forensics need, requirement and solution.